ICO 2026 priorities: AI and biometrics, the Children’s Code and enforcement procedure
In short: There are three priorities for the ICO in 2026: AI and biometrics strategy, the Children’s Code and their enforcement guidance. They all share one test: can the data controller show how each decision was made, and are the safeguards proportionate to the risk?
The ICO 2026 priorities ask one question of every UK data controller using AI, biometrics or children’s data this year. Show how each decision was made, and prove the safeguards match the risk. Three ICO documents bring that question together: the AI and biometrics strategy update of 17 March 2026, the Children’s Code progress update of December 2025, and the draft enforcement procedural guidance consulted on between October 2025 and January 2026. The most concrete instrument in the programme is the ICO’s draft ADM and profiling guidance, which closes for consultation on 29 May 2026.
How the ICO 2026 priorities fit together
Each of the three documents sits on a different statutory base. The AI and biometrics strategy sets out how the ICO will supervise AI and biometric processing of personal data. It anchors on section 80 of the Data (Use and Access) Act 2025, which inserted Articles 22A to 22D into the UK GDPR on 5 February 2026 by SI 2026/82. The substantive ADM reform under that section is set out in Automated decision-making after the DUAA. The Children’s Code is the statutory code the Commissioner must prepare under section 123 of the Data Protection Act 2018. The 15 standards have been in force since 2 September 2021. The enforcement procedural guidance, when final, will replace the 2018 Regulatory Action Policy as statutory guidance under section 160 of the Data Protection Act 2018. It governs how the ICO uses its expanded DUAA 2025 enforcement powers.
Different bases, different consultation periods, different timetables. The connecting thread is the test the ICO will run across all three. Each workstream picks a class of high-risk processing where one accountability principle bites: the data controller must show how a decision was made, must show that human involvement (where mandated) was real, and must hold a safeguard package the ICO can test against a tougher enforcement regime. The three workstreams are not separate programmes. They are three faces of one push.
Workstream one: AI and biometrics in 2026
The ICO published its AI and biometrics strategy on 25 June 2025 as Preventing harm, promoting trust, and updated it on 17 March 2026. It is running six workstreams under that strategy. Four target private-sector data controllers directly: giving certainty on AI and ADM through guidance and the statutory code; pressing high standards for ADM in central government, with the DWP named as an early adopter; setting clear expectations for ADM in recruitment; and running a foundation model scrutiny programme that engages eleven major developers and builds on the 2024 generative AI consultation series. The remaining two workstreams cover police live facial recognition, where the ICO has completed audits of South Wales, Gwent, Essex and Leicestershire forces and has audits ongoing across West Yorkshire and Greater Manchester, and emerging-AI horizon scanning, in the agentic AI tech futures report of January 2026.
The statutory architecture for this workstream is now in place. SI 2026/425 came into force on 12 May 2026 and places the Commissioner under a statutory duty to prepare a code of practice on the development and use of AI and on automated decision-making. The SI exercises the Secretary of State’s powers under sections 124A and 124B of the Data Protection Act 2018, which sections 92 and 93 of the DUAA 2025 inserted. The Code is not yet drafted. The ICO plans to feed the ADM and profiling guidance consultation into it, and 2027 is the earliest realistic finish date after the s.124B panel review (with national security carved out by regulation 3 of SI 2026/425) and the s.125 laying-before-Parliament process. The Code mandate is set out in ICO AI biometrics: Code of Practice mandated for 12 May 2026.
Workstream two: the Children’s Code in 2025-26
The ICO launched the Children’s Code strategy in April 2024. By October 2025 it had secured improvements at ten platforms covering more than three million children, with a potential reach of 11.7 million children in the United Kingdom, as it reported in December 2025. Twitch, Viber and Hoop gave the ICO default-privacy commitments. The ICO is engaging with Snap and Meta on geolocation processing and the compliance of the map functions on Snapchat and Instagram. In February 2025 the ICO opened a formal investigation into how TikTok processes the personal data of 13 to 17 year-olds in its recommender systems and served an information notice. TikTok has appealed the notice to the First-tier Tribunal on grounds that the processing was for artistic, academic, literary and journalistic purposes, and is not required to comply pending the appeal.
The ICO plans to extend the strategy into the mobile games sector through 2026. Its early review identifies design features (nudge techniques, in-game profiling and dark-pattern monetisation flows) that engage standards 1 (best interests of the child), 7 (default settings), 12 (profiling) and 13 (nudge techniques) of the Code. The ICO has also issued enforcement decisions in adjacent areas: a £14.47 million penalty against Reddit in February 2026 and a penalty against Imgur’s owner MediaLab in the same month, both for children’s privacy failures. For mobile-first products in the games, social or content sectors, the Children’s Code is now a live enforcement risk rather than an abstract design standard. The audit programme also reaches operators outside the social and gaming sectors where any service is likely to be accessed by children under 18. The “likely to be accessed” threshold is broader than “directed at children”.
Workstream three: the draft enforcement procedural guidance
The ICO consulted on draft enforcement procedural guidance between 31 October 2025 and 23 January 2026. The draft is the third leg of the 2026 work programme. When final it will replace the 2018 Regulatory Action Policy and govern how the ICO uses its expanded DUAA 2025 powers. Those include the interview-notice power, the approved-person report power (broadly equivalent to the FCA’s section 166 FSMA skilled-person regime), and the recalibrated PECR fine cap of £17.5 million or 4% of global turnover. The biggest commercial change is the formal tiered settlement framework: up to 40% discount on a penalty if the data controller settles before the ICO issues a notice of intent, up to 30% if the data controller settles after the notice but before the ICO receives written representations, and up to 20% afterwards. Settlement requires the data controller to admit the nature, scope, duration and legal characterisation of the breach. The model draws on the ICO’s experience with the Advanced Computer Software Group and Capita matters. The structure follows the FCA’s DEPP 6.7 declining-discount model and Ofcom’s penalty guidelines, with a higher maximum early discount. The settlement framework is set out in detail in ICO enforcement guidance: settlements, discounts and the new enforcement playbook.
Key findings (ICO 2026 strategic priorities)
- The ICO’s 2026 work programme covers three workstreams: AI and biometrics; the Children’s Code; and the draft enforcement procedural guidance. Source: ICO strategies and plans
- SI 2026/425 came into force on 12 May 2026 and places the Commissioner under a statutory duty to prepare a Code of Practice on AI and ADM; the Code itself is not yet drafted. Source: SI 2026/425
- Articles 22A to 22D UK GDPR (inserted by DUAA 2025 s.80) replaced the old Article 22 ADM regime on 5 February 2026 by SI 2026/82. Source: DUAA 2025 s.80
- The Children’s Code strategy has secured improvements at ten platforms affecting more than three million children since April 2024, with potential reach of 11.7 million children. Source: ICO, December 2025
- The draft enforcement procedural guidance introduces a tiered settlement framework with up to 40% penalty discount available before a notice of intent; settlement requires an admission of the legal characterisation of the breach. Source: ICO enforcement consultation page
- The ADM and profiling guidance consultation closes at 23:59 GMT on 29 May 2026; final guidance is due Summer 2026 per the ICO’s Technology guidance plans. Source: ICO ADM consultation
| Workstream | What the ICO has done | Statutory base | Live hook in 2026 |
|---|---|---|---|
| AI and biometrics | Published the strategy on 25 June 2025; updated on 17 March 2026; SI 2026/425 in force 12 May 2026 | UK GDPR Articles 22A-22D (DUAA 2025 s.80, in force 5 February 2026); UK GDPR Article 35 DPIA; DPA 2018 ss.124A-124B (DUAA 2025 ss.92-93); SI 2026/425 | ADM and profiling guidance consultation closes 23:59 GMT, 29 May 2026; final guidance Summer 2026 |
| Children’s Code | Launched the strategy in April 2024; secured improvements at ten platforms by October 2025; reported in December 2025 | DPA 2018 s.123 (statutory code); 15 Code standards operative from 2 September 2021 | Mobile games sectoral sweep through 2026; TikTok information-notice appeal at First-tier Tribunal; Reddit and MediaLab penalties (February 2026) |
| Enforcement procedural guidance | Consulted between 31 October 2025 and 23 January 2026 | DPA 2018 s.160 (Regulatory Action Policy); DUAA 2025 expansion of investigatory and penalty powers (interview notices, approved-person reports, PECR fine alignment) | Final guidance expected H1 2026; will govern settlement procedure for live and future ICO investigations |
What the integration of three workstreams means in practice
The ICO is using the three workstreams in parallel. The AI and biometrics strategy reaches data controllers running ADM in recruitment, central government services and consequential commercial decisions. The Children’s Code reaches any online service likely to be accessed by under-18s. The enforcement procedural guidance reaches everyone subject to ICO action, but it shifts the economics of a regulatory investigation for the same data controllers in scope of the first two. A data controller running an AI-enabled recruitment screening tool faces exposure on all three fronts: Articles 22A-22D set the ADM safeguards; the AADC engages if candidates may be under 18 (typical for graduate, apprentice or entry-level processes); and the enforcement settlement framework sets the cost of getting any of that wrong in 2026 and beyond.
Three points stand out for the near term. First, the ADM consultation closing 29 May 2026 is the only one of the three with a public window still open, and the most concrete instrument in the programme. Data controllers running ADM at scale, particularly in regulated sectors, will want their position recorded on the meaningful-human-involvement question and the safeguard set required by Article 22C UK GDPR. Second, the ICO has named mobile games as the next sectoral priority. The audit pattern it has run for social media and gaming platforms will follow in adjacent areas such as children’s content, ad-tech intermediaries and age-rated apps. Third, the enforcement procedural guidance changes the response calculus for any data controller already inside an active ICO investigation. The 40% discount sits behind the notice of intent, and data controllers waiting for formal process will have lost the highest tier. The broader DUAA enforcement reset is at The DUAA Takes Effect: New ICO Powers Meet a Tougher Enforcement Stance.
For UK data controllers running cross-jurisdictional operations, the 2026 work programme also brings a divergence point. The ADM permission-plus-safeguards model under amended Article 22 UK GDPR diverges from the default prohibition the EDPB still reads into Article 22 EU GDPR. The European Commission renewed the UK adequacy decision on 19 December 2025 (valid until 27 December 2031) but flagged the ADM reforms as a point of concern. Dual-regime data controllers cannot assume that UK ADM compliance equals EU ADM compliance.
Viewpoint
I read the ICO 2026 priorities as one accountability push under three banners. The earlier ICO25 strategy (2022 to 2025, now superseded) treated AI, children and enforcement as related but distinct programmes. The ICO has stepped further: it shares one test across all three and signals one response. Show how the decision was made, show that human involvement (where required) was real, show that the safeguards are proportionate, and show that the data controller’s records will hold up under the ICO’s expanded inspection toolkit. The shift is operational rather than legal. The rules largely sit in Articles 5, 22A-22D and 35 UK GDPR, in the Code’s 15 standards and in section 160 of the DPA 2018. What changes is how the regulator will test compliance, what the cost of a failure looks like, and how quickly the discount window closes once an investigation begins.
Frequently asked questions
What are the ICO 2026 priorities for UK data controllers?
The ICO 2026 priorities cover three workstreams. The ICO updated its AI and biometrics strategy on 17 March 2026. It reported on the Children’s Code strategy in December 2025. It consulted on draft enforcement procedural guidance between October 2025 and January 2026. The shared test across all three is whether data controllers can show how a decision was made and show that safeguards are proportionate to the risk of the processing.
When does the ICO’s ADM and profiling guidance consultation close?
The ICO’s draft guidance on automated decision-making, including profiling, is open for consultation until 23:59 GMT on 29 May 2026. Final guidance is due Summer 2026 per the ICO’s Technology guidance plans. The guidance feeds into the statutory Code of Practice mandated by SI 2026/425 (in force 12 May 2026), which the ICO has not yet drafted.
Who does the Children’s Code apply to in 2026?
The Children’s Code under section 123 DPA 2018 applies to providers of relevant information society services likely to be accessed by children under 18, not only to services directed at children. The ICO plans to extend the strategy to mobile games next, with social media, content and ad-tech intermediaries already inside the strategy. The threshold is broad: a service can be excluded only where the operator has a compelling basis to conclude that children will not access it.
What is the ICO’s tiered settlement framework?
The draft enforcement procedural guidance introduces a three-tier settlement framework: up to 40% discount on a penalty if the data controller settles before the ICO issues a notice of intent; up to 30% if the data controller settles after the notice but before the ICO receives written representations; up to 20% afterwards. Settlement requires the data controller to admit the nature, scope, duration and legal characterisation of the breach. The model follows the FCA’s DEPP 6.7 declining-discount structure with a higher maximum early discount.
How do the ICO 2026 priorities affect dual UK/EU data controllers?
UK data controllers operating across both regimes face a structural divergence on ADM. The amended Article 22 UK GDPR moves to permission with safeguards; Article 22 EU GDPR remains a default prohibition. The European Commission renewed the UK adequacy decision on 19 December 2025 (valid until 27 December 2031) but flagged the ADM reforms as a concern. Dual-regime data controllers face UK and EU ADM compliance as separate workstreams, not as a single one.
Bratby Law advises telecoms operators, payments firms and technology businesses on data protection compliance under the UK GDPR and the DUAA 2025, including AI and biometrics deployment, Children’s Code application and ICO investigation strategy. For advice on responding to the ICO’s ADM and profiling consultation before 29 May 2026, on aligning AI products with the ICO 2026 priorities, or on incident response under the new settlement framework, contact Rob Bratby at Bratby Law. Our AI and data governance advice page sets out how we work with data controllers facing the regulator’s 2026 work programme directly.
